Posted
by
Soulskill
on Wednesday December 05, 2012 @09:10AM
from the otherwise-the-terrists-win dept.

An anonymous reader writes "U.S. law enforcement and intelligence services can use the PATRIOT Act/FISA to 'obtain' EU-stored data for snooping, mining and analysis, despite strong EU data and privacy laws, according to a recent research paper. One of the paper's authors, Axel Arnbak, said, 'Most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction either because they are U.S. companies or conduct systematic business in the U.S. In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for U.S. authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the U.S., with little or no transparency obligations for such practices -- not even the number of actual requests.' Arnback added, 'These laws, including the Patriot Act, apply as soon as a cloud service conducts systematic business in the United States. It's a widely held misconception that data actually has to be stored on servers physically located in the U.S.'"

I guess the same thing applies elsewhere too, like China or Saudi Arabia. If a company wants to conduct business in a country it has to comply with the laws of the country. The main difference is the US is such a huge market that most companies would rather hand over the data than be shut out of it. In a situation where the laws of two different large markets are in direct conflict, it probably becomes a question of "can we get away with it".

Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...

Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...

Subsidiaries work fine against civil claims, but they are not effective against this sort of criminal law. The US can apply great pressure on the people who run the US holding company to get the data for them. The board of the subsidiary will normally be made up of people from the holding company. Even if it isn't, because the board of the holding company control the shares of the subsidiary, they can replace the subsidiary's directors.

You could put your faith in the local subsidiary staff to resist any req

Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...

Rather than handing the keys over to the hosting company, the company should hold their own encryption keys - then no one can access their data without permission, not even the hosting company. (well at least not data at rest - the hosting company can still intercept web traffic, scrape server memory, etc).

A large UK based multi-national org that I've worked for has the exact problem of hosting all its data centres in the USA. The big problem is that there are USA laws that apply that there is no equivalent in the UK/EU and there are contradictory laws where a lawyer would just choose the best jurisdiction. With-holding keys would be an offence under UK law (RIPA) but not under USA law.

e.g. in the UK, Freedom of Information only applies to government entities.

But at least the extradiction request would have to be made in the open -- so it could not be done in secret as can be done under the patriot act.
If enough fuss is made then local (non USA) politicians might get enough complains to do something about it.

China is a bigger market and American companies are just as prepared to do business there regardless of the implications. The more we extend our laws the less argument we have when someone is arrested on a business trip to China* and put in some hell hole for something that they did not realise was illegal.

With the proliferation of MPLS networks, this would not be all that hard to do on an organizational level. Host your servers in [Generic Non-Extradition Country] and link all of your sites/users via MPLS or VPN to your MPLS network, as well as any other "trusted" entities.

In the Netherlands, we want to host our own data. Some want to build a national database for medical data. However, an American company is developing the software - so that might be enough for the Americans to demand access to whatever is put on that database.

So, essentially, when any US based company deals with another third party, all the data of this third party does is now declared property of the US.

This was front page news just a week ago. Not a really good advertisement for US based software developers. For the record, the project manager (who is Dutch) denies that the Americans would get access. And I guess that under the Patriot Act it is also illegal to claim that the US is snooping around. So, for the record, I deny writing this post, since this is hosted on an American server - or at least maintained by people who create American-centric polls.

According to TFA, it does not matter where the data is stored. It matters if you do business with the country issuing the law...
Of course, almost no US companies does business with China, so no worries there.

US companies may however be more willing to secretly break EU law by handing data to US, than breaking US law by handing data to China...
All this is theoretical, based on a research paper. If proof surfaces that Amazon, Google et al. passes European Data to the US Governemnt against EU privacy regulations, it would be headline stuff for a long time, weeks and have huge international diplomatic and business repercussions.

Actually no... I read an interesting advisory about the issue. That is why we see cloud providers boast about EU or German only clouds and it works. (As advertised on this very site.) For some companies and professions it would be legal suicide if it ever came out that they needed to comply with the patriot act on data from and about Europeans.

The EU Data Protection Directive is very specific on this issue; the hosting/cloud company can only locate the data in the US, or even transmit it there, if there is an explicit guarantee that the data has the same level of protection.

Basically yes, the US could use the Patriot Act to obtain protected EU data from US-based companies. And yes, the company would then have broken the EU directive and would face the courts.

Re use the information?
Could be as simple as a commercial deal lost. Your EU firm is blacklisted for illegal gov support after some tax records are recovered/shared.
A request is made to move more work/data to the USA under a 'free trade' deal - yes or no? If "no" your even more suspect.
Your trade with countries around the world is sorted into areas of interest to the US gov.
Depends on your links to 2nd and third parties. Cuba? Middle East? Africa? Asia? South America? Stepping on an area the US

Cause the top guy in the EU subsidiary, and every single person in the chain down to the guy who gave access to the US, would not mind spending time in jail? Either the top guy knows, or someone else is getting screwed, so someone is going to cover their ass and tell.

And they're all, more than likely, living in the Europe so the prospect of being wanted in the US versus being in jail in the EU should be an easy choice.

Because it is the law to disclose when that data leaves the EU. So you either break EU law twice or EU and US law once each. Nice choice. One way can get your company fined into oblivion, the other goes after personnel and (allegedly) imprisons them. Guess which will be chosen.

It's not bullshit at all. But yes, the Data Protection Directive makes it very hard for companies to comply with both PATRIOT and the DPD. In other words, many US companies are excluded by default from providing cloud services to many European agencies.

But yes, the Data Protection Directive makes it very hard for companies to comply with both PATRIOT and the DPD.

No, it makes it impossible. the PATRIOT act says "no matter what local laws say, you are obligated to do this"... the data protection in other countries says "you are absolutely required to not do that".

Basically, the Americans are saying their laws trumps everybody else, and the cost of doing "systematic business in the United States" is that their laws trump everybody else.

Sadly, the US has decided that, the laws of other countries be damned, if you do enough business here you have to do what we say.

Yet another example of how the US is declining into a xenophobic country, who has no intention of playing nicely with everybody else -- and American businesses might suddenly find themselves as unwelcome entities around the world as you pointed out. (Which of course they would probably go to the WTO or say "Waahh, you won't let us play in your sandbox" to try to force those countries to allow American companies to do business despite the fact that they essentially can't be trusted.)

Essentially the only choice is to treat American owned companies as if they're agents of a hostile, totalitarian state -- because if any other country passed a law that said "if you do systematic business here, you must hand over your data to our government", the US would be up in arms talking about the freedoms they're not prepared to extend to other countries.

I know here in Canada, US owned companies are precluded from some government contracts for this very reason, and pretty much all cloud providers which could host data there are not legally allowed because they open the risk of sensitive data being handed to the Americans without anybody knowing.

I think this will pretty much be the point at which a lot of these US companies who could be in this position will suddenly start finding a lot of doors closed in their face with a "Oh, sorry, since we can't trust you or your government, you can't come in".

That's not unique to the US though, many European countries had been doing similar things in other parts of the world at the same time but for a much longer period of time. Doesn't excuse any of it of course. Morals are things that happen when there's no money at stake.

I certainly don't believe it is, we're simply the most successful current example. History is replete with examples of misconduct by and/or in support of the nation's (geographical) other nation company. The point was not to single out the USA as being the paragon of evil, but to forestall any pro-US cheerleading on this account.

As one of 'the Americans', I'd like to apologize for the theft of Canadian data. I can say with confidence that most of us don't want your data. It is unfortunate that a small but powerful segment of our population have done this in the name of us all.

Basically, the Americans are saying their laws trumps everybody else, and the cost of doing "systematic business in the United States" is that their laws trump everybody else. Sadly, the US has decided that, the laws of other countries be damned, if you do enough business here you have to do what we say.

Yes, if you do business in the US (any business) you need to comply with US law. It works the same for Europe and other places. The only difference is that the US market is so important that companies can't

1. Enforcing judgements is not the same as knocking on some business' door in Brussels and saying give us your data, or else.

Actually, the set of laws you can meaningfully pass is the same as the set of laws you can meaningfully enforce.

2. Yes, exactly like that. It was bad then, it's just as bad now.

Nonsense. Europeans forced other nations to comply with their self-serving laws at the barrel of a gun. The US is engaged in law enforcement and anti-terrorism activity, and any company that doesn't want to com

If Deutsche Telekom bought Yahoo, Yahoo would be a US branch of Deutsche Telekom. You're suggesting that Yahoo then wouldn't have to comply with US laws anymore. That's crazy.

A "US branch" is a US corporation, like any other US corporation. The fact that some foreign entity owns the shares makes no difference. If US law enforcement makes a lawful request for information, they have to comply or face the consequences. And that works no differently anywhere else.

Sorry, but no other country tries to extend their laws outside their borders as US does. US seems to think that their laws trump any local laws of any other country whenever they see fit. That is a delusion of grandeur that may still prove to be its downfall.

Or, to use a car analogy, how would you like it if the government of Saudi Arabia could stop your car from working, in case a woman drove it, because that was the price for allowing the car company to also sell cars there?

If the Saudis want to impose this condition on Ford, Ford has a clear choice: sell cars in Saudi Arabia and comply with their laws, or sell cars in the US and comply with US laws. It can't to both. Where's the problem?

I see a lot of criticism with regard to the Patriot Act, but a lot of it is due to misinformation and it isn't going to have a practical effect in most cases.
The United States has mutual legal assistance treaties with other countries so unless you're storing your data in Venezuela, they'll probably be able to get it if terrorism is suspected.
Canada has the Canadian Anti-Terrorism Act, which is very similar to the Patriot Act, except that no one ever talks about it. In the event that there is a bona fid

Exactly so. There are treaties which specifically require sharing of intelligence data with the USA (and other countries). These treaties are generally held to trump laws prohibiting the sharing of such data.

e.g.-USA makes request of company x for data.

-Company x responds that it is not allowed to provide the data, per law y in country z.

-USA requests that country z provide exception to law y for company x regarding the requested data, per treaty.

There's a massive difference between the US asking Canada to acquire and share data relating to a crime in Canada, and the US forcing companies to break Canadian law to gain access to data relating to activities that may be perfectly legal in Canada.

One of those approaches respects the sovereignty of other nations and is ethically sound.

That'll be in a Terms of Service or EULA. Larger companies will have lawyers review those, not the average developer or citizen.

Amazon and Microsoft must love how that part of the Patriot Act fucks their business up. Many European companies, and 100% of the governments, won't subscribe to their service just because US can seize the content. Thanks for boosting our local economies by making it worthwhile for European companies (Thales, Dassault, Bull, Orange) to build their own cloud with no competition fro

We use Concur, a US based company, to do our expenses and even travel arrangements.
We also do business in and with for example Cuba and until last year in Iran, something the US has laws against.
I can see one of our employees having visited Cuba and done his expense claim via Concur being stopped at some US airport.

With this in mind and the document to support it I'll use my authority as a works council member to advise the company seek legal advise and possibly to re-evaluate our co

If you are Australian and use an Australian cloud- you fall under Australian law and whatever the NSA can find.
If you are Australian and use a cloud with links to the USA - you fall under Australian law and whatever any US state or federal agency in the USA feels like looking for.
Your "strong encryption" lasts the links but in the cloud at some point its like plain text again.
Welcome to CALEA and many other laws, letters:)

Don't do business with an American company or a company that has an office in the US if you plan to use its service to store sensitive information. This may sound a bit blunt, but for me it's the only proper answer to the patriot act.

I don't do any business with an American company. But my hospital does. It stores all my data in an Electronic Patient Record built by an American company and hosted St. Isidorus knows where. It was already in the news that all our electronic patient records are potentially unsafe because of American law.

Somehow Congress passed a law which the president signed declaring that the US Secretary of Transportation can shield U.S. airlines from paying a carbon tax. I suppose we will provide a military escort when they refuse landing?

You are correct, but make no mistake, the reason the US will do whatever they feel like is because they have the world's most formidable military by a large margin. Which basically makes it the world's largest terrorist organization. What else do you call it when you have the biggest stick on the planet and the mere threat of it is enough to make other countries do as you please? It is textbook terrorism.

And you know that it is a totalitarian regime when millions of its citizens are out of work, homeless, s

We have the best technology. Not really the best anything else. T99s are better than Abrahms - we'll see if the M3 gives us the edge again. Our infantry rifles, while decent, are still 50 years old. We've attempted to replace them several times and have turned down superior weapons like the M416. Our active military is still smaller than North Korea and China.
Countries hardly do as we please. All we do is piss everyone off and shit down their throats and then the government, for the benefit of the sheep,

We also have the most of it. Though tanks and rifles are practically irrelevant. We live on a water planet. Therefore its the Navy this is of the most concern, and we have eight Nimitz class aircraft carriers complete with, I assume, long range fighters, not to mention drones, with presumably medium to long range missiles in addition to their support fleets.

One of those floating fortresses can easily subdue most countries entire military without the use of ground forces. Though there are really only a handf

Don't participate in arguments you're unqualified for. Communist? No. All his viewpoints? Wrong. They aren't even his viewpoints, Romney and Obama and even Clinton and Bush were and are all pawns controlled by globalists. Yea, not actual communism, no one understand what the actual concept of communism is of course.
That doesn't excuse that he has done more damage than 16 years of Bush/Clinton combined (not that Clinton did too much, he actually had a budget surplus).

Obama's obviously not the messiah that some people made him up to be, but he's nowhere near Bush in damage dealt to both the US and foreign relations. If you think Obama is the most harmful US president of the last 20 year, you must have been in a coma or just horribly ignorant.

It's true that a lot of the badness enacted by Bush still hasn't been removed by Obama. This is down to political maneuvering of course, but also down to a republican-dominated house hell-bent on screw

European authorities can get personal data on Americans under Europe's (rather bad) laws when that data is hosted on European servers.It's not America's fault that Europeans have, for the most part, failed to create online services that are attractive to people.

What makes you think the EU doesn't do this? Nations like France and Germany probably don't bother with such niceties as legal orders to reveal this data, they just put government operatives into German subsidiaries and have them take whatever they want.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Any act of congress which purports to empower the executive branch to search without probable cause is unconstitutional, and therefore not a law at all.

because the main reason for servers there was, that most eu companys need to ensure, that their data is not accessed from countries without reasonable data privacy laws.But it will freshen the cloud market, because eu companies will get a bigger share, which will lead to more competition.